1. 16 Sep, 2010 2 commits
  2. 15 Sep, 2010 7 commits
    • Alex Deucher's avatar
      drm/radeon/kms: only warn on mipmap size checks in r600 cs checker (v2) · fe725d4f
      Alex Deucher authored
      The texture base address registers are in units of 256 bytes.
      The original CS checker treated these offsets as bytes, so the
      original check was wrong.  I fixed the units in a patch during
      the 2.6.36 cycle, but this ended up breaking some existing
      userspace (probably due to a bug in either userspace texture allocation
      or the drm texture mipmap checker).  So for now, until we come
      up with a better fix, just warn if the mipmap size it too large.
      This will keep existing userspace working and it should be just
      as safe as before when we were checking the wrong units.  These
      are GPU MC addresses, so if they fall outside of the VRAM or
      GART apertures, they end up at the GPU default page, so this should
      be safe from a security perspective.
      
      v2: Just disable the warning.  It just spams the log and there's
      nothing the user can do about it.
      Signed-off-by: default avatarAlex Deucher <alexdeucher@gmail.com>
      Cc: Jerome Glisse <glisse@freedesktop.org>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      fe725d4f
    • Linus Torvalds's avatar
      Merge ssh://master.kernel.org/home/hpa/tree/sec · 9c03f162
      Linus Torvalds authored
      * ssh://master.kernel.org/home/hpa/tree/sec:
        x86-64, compat: Retruncate rax after ia32 syscall entry tracing
        x86-64, compat: Test %rax for the syscall number, not %eax
        compat: Make compat_alloc_user_space() incorporate the access_ok()
      9c03f162
    • David Howells's avatar
      MN10300: Fix up the IRQ names for the on-chip serial ports · a4128b03
      David Howells authored
      Fix up the IRQ names for the MN10300 on-chip serial ports in the driver as
      request_interrupt() no longer allows names containing slashes, giving a warning
      like the following if one is encountered:
      
      	------------[ cut here ]------------
      	WARNING: at fs/proc/generic.c:323 __xlate_proc_name+0x62/0x7c()
      	name 'ttySM0/Rx'
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a4128b03
    • Linus Torvalds's avatar
      Merge git://git.infradead.org/mtd-2.6 · 65e0b598
      Linus Torvalds authored
      * git://git.infradead.org/mtd-2.6:
        mtd: pxa3xx: fix build error when CONFIG_MTD_PARTITIONS is not defined
        mtd: mxc_nand: configure pages per block for v2 controller
        mtd: OneNAND: Fix loop hang when DMA error at Samsung SoCs
        mtd: OneNAND: Fix 2KiB pagesize handling at Samsung SoCs
        mtd: Blackfin NFC: fix invalid free in remove()
        mtd: Blackfin NFC: fix build error after nand_scan_ident() change
        mxc_nand: Do not do byte accesses to the NFC buffer.
      65e0b598
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · d7a4b63b
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: fix hiddev's use of usb_find_interface
        HID: fixup blacklist entry for Asus T91MT
        HID: add device ID for new Asus Multitouch Controller
        HID: add no-get quirk for eGalax touch controller
        HID: Add quirk for eGalax touch controler.
        HID: add support for another BTC Emprex remote control
        HID: Set Report ID properly for Output reports on the Control endpoint.
        HID: Kanvus Note A5 tablet needs HID_QUIRK_MULTI_INPUT
        HID: Add support for chicony multitouch screens.
      d7a4b63b
    • Linus Torvalds's avatar
      Merge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 · de8d4f5d
      Linus Torvalds authored
      * 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
        SUNRPC: Fix the NFSv4 and RPCSEC_GSS Kconfig dependencies
        statfs() gives ESTALE error
        NFS: Fix a typo in nfs_sockaddr_match_ipaddr6
        sunrpc: increase MAX_HASHTABLE_BITS to 14
        gss:spkm3 miss returning error to caller when import security context
        gss:krb5 miss returning error to caller when import security context
        Remove incorrect do_vfs_lock message
        SUNRPC: cleanup state-machine ordering
        SUNRPC: Fix a race in rpc_info_open
        SUNRPC: Fix race corrupting rpc upcall
        Fix null dereference in call_allocate
      de8d4f5d
    • Jeff Moyer's avatar
      aio: check for multiplication overflow in do_io_submit · 75e1c70f
      Jeff Moyer authored
      Tavis Ormandy pointed out that do_io_submit does not do proper bounds
      checking on the passed-in iocb array:
      
             if (unlikely(nr < 0))
                     return -EINVAL;
      
             if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp)))))
                     return -EFAULT;                      ^^^^^^^^^^^^^^^^^^
      
      The attached patch checks for overflow, and if it is detected, the
      number of iocbs submitted is scaled down to a number that will fit in
      the long.  This is an ok thing to do, as sys_io_submit is documented as
      returning the number of iocbs submitted, so callers should handle a
      return value of less than the 'nr' argument passed in.
      Reported-by: default avatarTavis Ormandy <taviso@cmpxchg8b.com>
      Signed-off-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      75e1c70f
  3. 14 Sep, 2010 7 commits
    • Roland McGrath's avatar
      x86-64, compat: Retruncate rax after ia32 syscall entry tracing · eefdca04
      Roland McGrath authored
      In commit d4d67150, we reopened an old hole for a 64-bit ptracer touching a
      32-bit tracee in system call entry.  A %rax value set via ptrace at the
      entry tracing stop gets used whole as a 32-bit syscall number, while we
      only check the low 32 bits for validity.
      
      Fix it by truncating %rax back to 32 bits after syscall_trace_enter,
      in addition to testing the full 64 bits as has already been added.
      Reported-by: default avatarBen Hawkes <hawkes@sota.gen.nz>
      Signed-off-by: default avatarRoland McGrath <roland@redhat.com>
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      eefdca04
    • H. Peter Anvin's avatar
      x86-64, compat: Test %rax for the syscall number, not %eax · 36d001c7
      H. Peter Anvin authored
      On 64 bits, we always, by necessity, jump through the system call
      table via %rax.  For 32-bit system calls, in theory the system call
      number is stored in %eax, and the code was testing %eax for a valid
      system call number.  At one point we loaded the stored value back from
      the stack to enforce zero-extension, but that was removed in checkin
      d4d67150.  An actual 32-bit process
      will not be able to introduce a non-zero-extended number, but it can
      happen via ptrace.
      
      Instead of re-introducing the zero-extension, test what we are
      actually going to use, i.e. %rax.  This only adds a handful of REX
      prefixes to the code.
      Reported-by: default avatarBen Hawkes <hawkes@sota.gen.nz>
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Cc: <stable@kernel.org>
      Cc: Roland McGrath <roland@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      36d001c7
    • H. Peter Anvin's avatar
      compat: Make compat_alloc_user_space() incorporate the access_ok() · c41d68a5
      H. Peter Anvin authored
      compat_alloc_user_space() expects the caller to independently call
      access_ok() to verify the returned area.  A missing call could
      introduce problems on some architectures.
      
      This patch incorporates the access_ok() check into
      compat_alloc_user_space() and also adds a sanity check on the length.
      The existing compat_alloc_user_space() implementations are renamed
      arch_compat_alloc_user_space() and are used as part of the
      implementation of the new global function.
      
      This patch assumes NULL will cause __get_user()/__put_user() to either
      fail or access userspace on all architectures.  This should be
      followed by checking the return value of compat_access_user_space()
      for NULL in the callers, at which time the access_ok() in the callers
      can also be removed.
      Reported-by: default avatarBen Hawkes <hawkes@sota.gen.nz>
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Acked-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Acked-by: default avatarChris Metcalf <cmetcalf@tilera.com>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Acked-by: default avatarIngo Molnar <mingo@elte.hu>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Helge Deller <deller@gmx.de>
      Cc: James Bottomley <jejb@parisc-linux.org>
      Cc: Kyle McMartin <kyle@mcmartin.ca>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: <stable@kernel.org>
      c41d68a5
    • Alex Deucher's avatar
      drm/radeon/kms: force legacy pll algo for RV620 LVDS · f90087ee
      Alex Deucher authored
      There has been periodic evidence that LVDS, on at least some
      panels, prefers the dividers selected by the legacy pll algo.
      This patch forces the use of the legacy pll algo on RV620
      LVDS panels.  The old behavior (new pll algo) can be selected
      by setting the new_pll module parameter to 1.
      
      Fixes:
      https://bugs.freedesktop.org/show_bug.cgi?id=30029Signed-off-by: default avatarAlex Deucher <alexdeucher@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      f90087ee
    • Dave Airlie's avatar
      drm: fix race between driver loading and userspace open. · b64c115e
      Dave Airlie authored
      Not 100% sure this is due to BKL removal, its most likely a combination
      of that + userspace timing changes in udev/plymouth. The drm adds the sysfs
      device before the driver has completed internal loading, this causes udev
      to make the node and plymouth to open it before we've completed loading.
      
      The proper solution is to delay the sysfs manipulation until later in loading
      however this causes knock on issues with sysfs connector nodes, so we can use
      the global mutex to serialise loading and userspace opens.
      
      Reported-by: Toni Spets (hifi on #radeon)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      b64c115e
    • Chris Wilson's avatar
      drm: Use a nondestructive mode for output detect when polling (v2) · 930a9e28
      Chris Wilson authored
      v2: Julien Cristau pointed out that @nondestructive results in
      double-negatives and confusion when trying to interpret the parameter,
      so use @force instead. Much easier to type as well. ;-)
      
      And fix the miscompilation of vmgfx reported by Sedat Dilek.
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: stable@kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      930a9e28
    • Guillaume Chazarain's avatar
      HID: fix hiddev's use of usb_find_interface · 8fe294ca
      Guillaume Chazarain authored
      My macbook infrared remote control was broken by commit
      bd25f4dd ("HID: hiddev: use
      usb_find_interface, get rid of BKL").
      
      This device appears in dmesg as:
      apple 0003:05AC:8242.0001: hiddev0,hidraw0: USB HID v1.11 Device
      [Apple Computer, Inc. IR Receiver] on usb-0000:00:1d.2-1/input0
      
      It stopped working as lircd was getting ENODEV when opening /dev/usb/hiddev0.
      
      AFAICS hiddev_driver is a dummy driver so usb_find_interface(&hiddev_driver)
      does not find anything.
      
      The device is associated with the usbhid driver, so let's do
      usb_find_interface(&hid_driver) instead.
      
      $ ls -l /sys/devices/pci0000:00/0000:00:1d.2/usb7/7-1/7-1:1.0/usb/hiddev0/device/driver
      lrwxrwxrwx 1 root root 0 2010-09-12 16:28 /sys/devices/pci0000:00/0000:00:1d.2/usb7/7-1/7-1:1.0/usb/hiddev0/device/driver -> ../../../../../../bus/usb/drivers/usbhid
      Signed-off-by: default avatarGuillaume Chazarain <guichaz@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      8fe294ca
  4. 13 Sep, 2010 24 commits